Introduction to Security and Backups

Slide 1

Slide 1 text

Suzette Franck  #wclax @suzette_franck Introduction to backups and security 1 by Suzette Franck September 5, 2012

Slide 2

Slide 2 text

Suzette Franck  #wclax @suzette_franck twitter: @suzette _franck 2 Front-end Developer at WebDevStudios

Slide 3

Slide 3 text

Suzette Franck  #wclax @suzette_franck what we will cover 1. top vulnerabilities and risks 2. prevention 3. getting hacked 4. backups 5. resources 3

Slide 4

Slide 4 text

Suzette Franck  #wclax @suzette_franck Top vulnerabilities 1. Virus-free computer 2. Weak or compromised passwords 3. Outdated server software 4. Unreliable hosting 5. Plugin or theme (bad or malicious coding) 4

Slide 5

Slide 5 text

Suzette Franck  #wclax @suzette_franck why do hackers hack? 1. gain your server’s resources 2. something malicious or spammy 3. promote propoganda 4. make money 5. spread viruses 6. because they can 7. yes, big or small, everyone is a target 5

Slide 6

Slide 6 text

Suzette Franck  #wclax @suzette_franck Am i at risk? yes! 1. use internet 2. have passwords 3. own a website 6

Slide 7

Slide 7 text

Suzette Franck  #wclax @suzette_franck steps to reduce risks? 1. prevention is the best medicine 2. best password practices 3. get good hosting 4. know your plugin and theme sources 5. keep software updated 7

Slide 8

Slide 8 text

Suzette Franck  #wclax @suzette_franck password management ! 1. complicated passwords 2. don’t use FTP, use SFTP or SSH 3. diﬀerent passwords for everything 4. use a password manager (Lastpass) 5. practice least privilege 6. access only what is needed and when 7. remove old accounts 8

Slide 9

Slide 9 text

Suzette Franck  #wclax @suzette_franck password creation ! 1. never use “password” 2. don’t use pet or children’s names 3. uppercase letters, lowercase letters, numbers, special characters 4. longer is better than shorter 5. use password managers to create and store new passwords 9

Slide 10

Slide 10 text

Suzette Franck  #wclax @suzette_franck choosing hosting ! 1. use a reputable web hosting company 2. should oﬀer SFTP or SSH access 3. pay now for good hosting or pay later for bad hosting 4. shared hosting or VPS? 5. keep server software PHP & MySQL up-to- date (you or host) 6. do they have emergency backups? Fees? 10

Slide 11

Slide 11 text

Suzette Franck  #wclax @suzette_franck wordpress hosting 11

Slide 12

Slide 12 text

Suzette Franck  #wclax @suzette_franck wordpress application ! 1. update WordPress (1. vs .1 releases) 2. don’t login with admin, create new account 3. each user should have their own account 4. use the user roles - admin, editor 5. always practice least privilege 6. remove unused accounts 12

Slide 13

Slide 13 text

Suzette Franck  #wclax @suzette_franck wordpress application ! 1. limit login attempts plugin 2. file and folder permissions 1. files: 644 read write execute 2. folders: 755 3. don’t use: 777 3. move wp-config.php up a directory (not multisite) 4. wp-config.php:  define(‘FORCE_SSL_LOGIN’, true); 5. define(‘FORCE_SSL_ADMIN’, true); 6. wp-config.php add secret keys 13

Slide 14

Slide 14 text

Suzette Franck  #wclax @suzette_franck plugin and theme safety ! 1. know your sources (WordPress.org) 2. backup, then update plugins and themes 3. test on a local or development server 4. delete inactive plugins and themes 5. use as few plugins as it takes to get the job done 14

Slide 15

Slide 15 text

Suzette Franck  #wclax @suzette_franck You’ve been hacked ! 1. reduce reinfection: clean up, restore, or take down site ASAP 2. don’t get google blacklisted 3. hire experts, like Sucuri 4. restore site from recent backup 5. does your host oﬀer emergency backups? 6. time matters! 15

Slide 16

Slide 16 text

Suzette Franck  #wclax @suzette_franck backups ! 1. hacked sites may be cleaned, but… 2. usually can not undo damage done 3. updates to software may break sites 4. maintaining backups is essential 5. set up an automatic schedule 6. know how to do a manual backup 7. backup ﬁles as well as database 16

Slide 17

Slide 17 text

Suzette Franck  #wclax @suzette_franck manual database backup 17 ! 1. login to PHPMyAdmin 2. export to .sql using default settings    or  3. install “WP Migrate DB” plugin 4. conﬁgure and run plugin

Slide 18

Slide 18 text

Suzette Franck  #wclax @suzette_franck using phpmyadmin 18

Slide 19

Slide 19 text

Suzette Franck  #wclax @suzette_franck Using wp migrate db 19 ! 1. install and conﬁgure WP Migrate DB by Delicious Brains

Slide 20

Slide 20 text

Suzette Franck  #wclax @suzette_franck manual database backup 20 ! 1. uncheck compress with .gzip & copy

Slide 21

Slide 21 text

Suzette Franck  #wclax @suzette_franck backup your files, too! 21 ! 1. Filezilla or other SFTP client

Slide 22

Slide 22 text

Suzette Franck  #wclax @suzette_franck automatic backups 22

Slide 23

Slide 23 text

Suzette Franck  #wclax @suzette_franck backup essentials 23 1. backup ﬁles and db before updates! 2. don’t store backups on your server 3. schedule backups based on how much information you’re willing to lose 4. test backups periodically 5. keep backups accessible for emergencies 6. http://codex.wordpress.org/ WordPress_Backups

Slide 24

Slide 24 text

Suzette Franck  #wclax @suzette_franck resources 1. http://blog.sucuri.net/ 2. WordPress.tv WordCamp Sessions: 1. Dre Armeda 2. Brad Williams 3. Tony Perez 3. Google (recent articles) 4. “Locking Down WordPress” (Code Poet) 24

Slide 25

Slide 25 text

Suzette Franck  #wclax @suzette_franck questions? 25 follow me on twitter: @suzette _franck